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Abstract. For small odd primes p, we prove that most of the rational points 
on the modular curve Xo{p)/wp parametrize pairs of elliptic curves having 
infinitely many supersingular primes. This result extends the class of elliptic 
curves for which the infinitude of supersingular primes is known. We give 
concrete examples illustrating how these techniques can be explicitly used to 
construct supersingular primes for such elliptic curves. Finally, we discuss 
generalizations to points defined over larger number fields and indicate the 
types of obstructions that arise for higher level modular curves. 



1. Introduction 

Let E be an elliptic curve defined over a number field. It is conjectured that 
E has infinitely many prime ideals of supersingular reduction. For curves E with 
complex multiplication, a classical result of Deuring 4 states that the supersingular 
primes have density 1/2. More recently, Elkies proved that E always has infinitely 
many supersingular primes whenever it is defined over a real number field [H], or 
when the absolute norm of j{E) — 1728 has a prime factor congruent to 1 mod 4 
and occurring with odd exponent [H]. In this article we prove that the number of 
supersingular primes is infinite for certain elliptic curves which do not satisfy any 
of the above conditions, thereby providing the first new examples of such curves 
since the work of Elkies. 

Specifically, for p prime, let Wp be the unique Atkin-Lehner involution on 
the modular curve Xo{p), and write Xq{p) for the quotient curve Xq(ji)/wp. Then 
Xq(j)) is a moduli space parameterizing unordered pairs of elliptic curves {E,E'} 
together with a cyclic p-isogeny (p: E E' . The main result of this paper is the 
following: 

Theorem 1.1. Suppose p is equal to 3, 5, 7, 11, 13, or 19. Let {E,E'} be a 
pair of elliptic curves parametrized by a rational point on the moduli space Xq(p), 
and suppose E does not have supersingular reduction mod p. Then E has infinitely 
many supersingular primes. 

For pairs E, E' whose j-invariants are imaginary quadratic conjugates, the the- 
orem provides new examples of ordinary elliptic curves with infinitely many super- 
singular primes. In Section |2] we introduce the Heegner point analogues of Hilbert 
class polynomials that enable the proof of Theorem 11.11 Section O analyzes the 
real roots of these polynomials, and Section 0] gives the proof of the theorem. Sec- 
tion [SI explains the precise relationship between the curves E of Theorem 11.11 and 
the curves of jSj and [H]- 
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2. Class polynomial calculations 

Fix an odd prime p such that Xq{p) has genus 0. In this section we do not 
impose any other conditions on p. Therefore p is one of 3, 5, 7, 11, 13, 17, 19, 
23, 29, 31, 41, 47, 59, or 71. Under these conditions, we wiU construct a sequence 
of polynomials for X^ijj) which are analogues to the Hilbert class polynomials for 
X{\). Instead of using CM points on X{1) we will use Heegner points on X^{p). 
We then describe how our variant class polynomials factor into near perfect squares 
modulo primes I ^ p and later modulo i = p. We also classify all of the real roots 
of these polynomials. Taken together, these properties of the class polynomials 
can be used to construct supersingular primes for points on Xq{p). For I = p, 
our square factorization results only hold for small values of p, which explains why 
Theorem II. II is restricted to these values. 

The case p = 2 is omitted because its Heegner points exhibit very different 
behavior from the odd case. A discussion of this case can be found in |1U| . 

For negative integers Z? = or 1 mod 4, write Qjj for the unique imaginary 
quadratic order of discriminant D. We assume throughout this chapter that D is 
of the form —pi or —Apt for some prime I ^ p- For either choice of D, we denote 
by p the ideal of 0_d generated by p and \fD. 

Lemma 2.1. Let E be an elliptic curve over C with complex multiplication by 
&D- There is exactly one p-torsion subgroup of E which is annihilated by the ideal 
p C &D- 

Proof. An elliptic curve E with CM by 0d corresponds to a quotient of the complex 
plane C by a lattice L which is homothetic to an ideal class m 0o- By scaling L 
appropriately, we may assume L = (l,r) where r = ^''^^''^ ~ ~ is in the upper 
half plane H, with 6^ — 4ac = D. 

The p-torsion subgroups of E are generated in C/L by 1/p, r/p, (r + l)/p, . . . , 
(t + (p — l))/p. For z to be annihilated by p means exactly that the M-linear 
combination ^/Dz = zi ■ I + Z2 ■ t has integer coefficients. We have the equations: 

/—I b 2a 

1 VD-- = - + —T 

p P P 

I — T + k bk — 2c 2ak — b , 

2 = + r fc = 0,l,2,...,p-l 

p p p 

Suppose first that p \ a. Then the equation D = b^ — Aac means that p \ 6, 
so Equation ^ shows that 1/p is annihilated by p. By Equation in order for 
(r + k)/p to be annihilated by p it would have to be the case that p \ {bk — 2c), but 
this cannot happen since p \ b and p \ c. 

Conversely, ii p \ a then Equation shows that 1/p is not annihilated by p, 
and one easily checks using Equation ^ that (r + k) jp is annihilated if and only 
if fc = fe/2a (mod p). 

□ 

One consequence of Lemma l2.ll is that, if 0: £'—>£" is the unique cyclic p- 
isogeny whose kernel is the p-torsion subgroup of Lemma I^ITI then E' also has CM 
by 0£). Indeed, the lattice L' generated by L and this p-torsion subgroup is closed 
under multiplication by both 1 and p, which additively generate all of 0d. In the 
case where D — ~pl and hence 0zj is a maximal order, it follows immediately that 
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L' has complex multiplication hy &d- When D = — 4p^, we have to make sure 
that the CM ring is not an order strictly containing 0-4p£, of which the only one 
is 0-pe- But the discriminants of the endomorphism rings of two p-isogenous CM 
elliptic curves can only differ by a multiple of p if they differ at all 11 , and we 
have assumed that p is odd, so the discriminants cannot differ by factors of 2. 

A point on Xq(jj) that parameterizes isogenous curves of the same CM order is 
called a Heegner point 8 . We have just showed that every E with CM by 0_d lifts 
to a unique Heegner point on Xo{p). 

Definition 2.2. For any elliptic curve E with CM by 0d, let E denote the Heegner 
point on Xq (p) corresponding to the isogeny E ^ E' whose kernel is the p-torsion 
subgroup of Lemma l2.1l 

Let jp denote a Hauptmodul on Xq{p), i.e., a rational coordinate function on 
Xq(p) with a simple pole of residue 1 at oo. Such a function exists since the curve 
Xq(p) always has a rational cusp and we are assuming its genus is 0. 

Proposition 2.3. For each ideal a of 01), let E^ denote the elliptic curve corre- 
sponding to C/a. For \D\ sufficiently large, the minimal polynomial of jp{Ep) over 
Q is given by 

Pd{X):=1 H {X-jpiK)) 

\[o]GC1(0d) 

where the product is taken over all ideal classes of 0d- 

Proof. First, note that {X — jp{Ef,)) is one of the factors in the product. To get 
the other factors, start from the known formula 

Hd{X):= II {X-j{E,)) 

la]eCl(0D) 

for the Hilbert class polynomial Ho{X), which by 3 is the minimal polynomial 
of the j-invariant of Ep. Let G be the absolute Galois group of Q. For every 
cr G G, we have a{j{Ep)) = j{Ea) for some ideal class a of 0d appearing in the 
above product. We claim that a{jp{Ep)) — jp{Ea) as well, or equivalently, the map 
a: Ep —> Ea sends the distinguished p-torsion subgroup of Ep from Lemma 12.11 to 
that of Ea ■ But a sends the endomorphism ring of Ep into the endomorphism ring 
of Ea, and in both cases there are only two conjugate embeddings of 0d into the 
endomorphism ring of the elliptic curve, with either choice resulting in the same 
action of p and hence in the same distinguished p-torsion subgroup. 

From this claim we see that the set of Galois conjugates of jp{Ep) is exactly 
{jp(-^a) I 1 <^ 0d}j and so the minimal polynomial contains all the factors in the 
product. 

We now prove that each linear factor in the product occurs with multiplicity 
two. For any ideal class [a], the Atkin-Lehner image of E^ is Ea' for some other 
ideal class [a'] € C\{0d) (by the remarks following Lemma r2.1|l . The ideal classes 
[a] and [a'] are not identical since the 2-1 covering map n: Xo{p) — > Xq{p) has only 
finitely many branch points, and we can avoid these branch points by choosing \D\ 
sufficiently large. Hence jp{Ea) = jp{Ea'), and since tt is 2 to 1, these are the only 
equalities among the roots of the factors in the product. □ 

From now on, we will assume that l-D] is large enough to satisfy ProDOsition l2.3l 
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Lemma 2.4. Let^ be a prime of the splitting field K of Pd{X) lying over with 
residue field k. Let £ he an elliptic curve defined over k, and fix an embedding 0d ^ 
End(£). Then there is exactly one p -torsion subgroup of £ which is annihilated by 
P C Go- 
Proof. By Deuring's Lifting Lemma 4 , there is exactly one lifting of £ to an 
elliptic curve E over K with CM by 0d such that reduction mod *p induces the 
embedding &d ^ End(£). The p-torsion lattices of E and £ are isomorphic via 
reduction 14 , so the unique p-torsion subgroup of E from Lemma l2 . 1 1 descends to 
a unique p-torsion subgroup on 5. □ 

As in Definition 12. 21 we denote by £ the point on X^ij)) mod corresponding to 
the elliptic curve £ together with the cyclic p-isogeny whose kernel is the subgroup 
determined by Lemma 12.41 

Proposition 2.5. Suppose the odd prime i splits in 0_p and 0-4p (equivalently, 
—p is a quadratic residue modulo I). Then, modulo £, all roots of the polynomial 
Pjj^X) occur with even multiplicity, except possibly those corresponding to elliptic 
curves with j = 1728 mod £ when D = —p£, or elliptic curves which are 2-isogenous 
to those curves when D — ^Ap£. 

Proof. Assume first that D is a fundamental discriminant. We show that the points 
E corresponding to roots away from j{E) = 1728 occur naturally in pairs modulo I. 
We begin with the following facts from [S] concerning the Hilbert class polynomial 
Hd{X) defined in the proof of Proposition[^l Each root of Hd{X) corresponds to 
an isomorphism class of elliptic curves E with complex multiplication by 0£). The 
reduction of this root modulo H corresponds to a reduction of £^ to a supersingular 
elliptic curve £ in characteristic I, or equivalently an embedding t: 0d *■ End(£). 
Since £ ramifies in 0U, the conjugate 6 of 6 is again an embedding oi @d into 
End(£), and £ lifts by way of I to an elliptic curve E' in characteristic zero, which 
is not isomorphic to E provided that j{E) ^ 1728 (mod I). 

In order to show that the root jp{£) occurs twice in Pu{X) modulo £, we must 
show that the two curves E and E' from the previous paragraph correspond to 
two different roots of Pd{X) in characteristic zero, and that they both reduce to 
£ modulo I. To prove the second fact, observe that the embeddings t and I both 
determine the same p-torsion subgroup of £ under Lemma since p equals itself 
under conjugation, so E and E' both reduce to £. As for the first fact, we have 
E ^ E' provided that jiE) ^ 1728 mod £, so E ^ E'. The only other way E and 
E' could be equal on X^{p) is if Wp{E) = E' . But if these two were equal, then 
in particular their reductions mod £ would be equal, so Wp{£) = £' . On the other 
hand, we have just showed that £ ^ £' . Putting the two equations together yields 
Wp{£) — £ . We show that this cannot happen. 

Let (p: £ — > be the cyclic p-isogeny corresponding to £ . The equation Wp{£) — 
£ implies that the dual isogeny of is isomorphic to (j), or that there exist 
isomorphisms -tjji: £ £' and ip2- £' ^ £ making the diagram 

£ ^£' 

■4>1 1p2 
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commute. Since p is prime, the equation (fxj) = [p] at once implies that il>24' is 
not equal to multiplication by any integer, which in turn means that ^24> alge- 
braically generates an imaginary quadratic order inside End(5). But we also 
have ("020)^ = u[p] for some u £ Aut(£) (specifically, u = V'2'0i)i from which we 
conclude that contains a square root of — p, and thus that £ has CM by either 
0_p or 0_4p. Moreover, since ^ splits in these orders by hypothesis, the curve 
£ must have ordinary reduction mod I. On the other hand, by 0] every root of 
Hd{X) mod I (and hence every root of P£i{X) mod t) corresponds to an elliptic 
curve of supersingular reduction mod t, which provides our contradiction. 

For the non-fundamental discriminant D — — 4p^, set D' := —p£ for convenience. 
Let e be 0, 1, or 2 according as 2 is inert, ramified or split in 0d'- Then the divisor 
of zeros {Pd)o of Pd in characteristic £ or is equal to the Hecke correspondence 
T2 on Xq{p) apphed to the divisor of zeros {Pd' )o of Pd', minus e times the divisor 
(Pd')o- That is, 

(3) {PD)o=T2{{PD')o)-eiPD')o. 

Every zero of Pd', except for the divisors with j-values of 1728, appears in (Pd')o 
with even coefficient in characteristic I, and hence also appears in {Pd)o with even 
coefficient by Q. The only divisors unaccounted for are those with j-values of 
1728, and the images of such divisors under T2, so the Proposition is proved. □ 

3. Real roots of Pd{X) 

We find the real roots of the class polynomial Pd{X). A real root of Pd{X) 
corresponds to an unordered pair {i?, E'} of cyclic p-isogenous elliptic curves which 
is fixed under complex conjugation. Choose an ideal class [a] £ C1(0d) representing 
E\ then [ap] represents E' . For {E, E'} to be fixed under complex conjugation 
means that 

{[a],[ap]} = {[a],[ap]}, 

where the bar denotes complex conjugation. This can happen in two ways: either 
[a] = [o], or [ap] = [a]. 

Definition 3.1. With notation as above, a real root of Pd{X) is said to be un- 
bounded if [a] = [a] , and hounded if [ap] = [a] . 

For the primes p = 1 mod 4, the behavior of the real roots of Po{X) closely 
mimics the case of Hd{X) which was treated in j^J- This is not surprising given 
that X{1) = ^o(l) is a special case of Xo{p) when p = 1 mod 4. However, when 
p= 3 mod 4 the real roots of Pd{X) exhibit very different behavior. It is therefore 
necessary to treat the two cases separately. 

3.1. The case p = 1 mod 4. In this section, we assume that p = 1 (mod 4) and 
that D is equal to —p£ or —Api, where £ is chosen to be a prime congruent to 
3 mod 4 which splits in 0_p and 0_4p. 

An unbounded real root of Po{X) corresponds to an isogeny E E' which is 
isomorphic to itself under complex conjugation, meaning that _E is a real point on 
Xq{p). Since the covering Xq{p) X{1) is defined over Q, each such real point 
E has j{E) real, so we can count these points by counting the ideal classes [a] for 
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which j(a) is reaL By genus theory 3 , there are two such ideal classes for 0-pi 
and two for 0_4pz, corresponding to the quadratic forms 



for D = -Apl. 

Since the first two forms above are Atkin-Lehner images of each other, and the 
last two are Atkin-Lehner images of each other, the first pair of real points on Xo(p), 
upon quotienting by Wp, yields one real root of P-p(,{X), and the second pair yields 



Similarly, for D = —Api, the quadratic form x'^ +p£y'^ has the root r = \J—p£ with 
lim^^oo = oo- The divergence of the roots jp(T) of Pd(X), as ^ ^ cxd, justifies 
the terminology "unbounded." 

A bounded real root of Pd(X) occurs when [op] = [a], or equivalently [p] = [a]^. 
Viewing each ideal class as a quadratic form, a bounded root exists if and only if 
the quadratic form px^ + ly^ (for D = — 4p£) or px^ +pxy + ^^y^ (for D = —p£) is 
equal to the direct composition of some quadratic form ax^ + bxy + cy"^ with itself. 
In particular, this implies by definition of composition that there exists a nonzero 
integer z satisfying the Diophantine equation px^ + £y^ = in the D — —Ap£ case, 
or px^ +pxy + ^j^y^ — in the D = —p£ case. We show that this cannot happen 
in our situation. 

Lemma 3.2. The Diophantine equations px^ +£y'^ — and px'^ +pxy+^^y'^ — 
have no nonzero solutions x,y,z Cz Z. 

Proof. Suppose there were a nonzero solution. We may assume y ^ (mod p) , 
or else descent yields a contradiction. Then reducing the equations modulo p, 
we get that £ is a perfect square mod p, which contradicts the assumptions that 
£ = 3 mod 4 and I splits in 0_p. □ 

We conclude that the polynomial Pd{X) has one unbounded real root and no 
bounded real roots, with the bounded real root diverging to oo for D — ~Ap£ and 
— oo for D — ~p£, as £ ^ oo. 

3.2. The case p = 3 mod 4. We assume that p = 3 (mod 4) and that D — ~4:p£, 
where £ = 1 mod 4 and £ splits in 0_p and 0_4p. Using genus theory as before, the 
unbounded real root of Po{X) is represented by the pair of ideals corresponding to 
the two Wp-equivalent quadratic forms 




for D 



-p£, and 



+ p£y'^ 
px"^ + ty"^ 




+ xy + 



x^ + p£y'^ 
px'^ +£y'^. 
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Hence the polynomial Pd{X) has one unbounded real root, which approaches oo 
as £ becomes large. 

Recall that a bounded real root corresponds to an equivalence class of quadratic 
forms ax'^ + bxy + cy^ whose square in the form class group is equal to the form 
•px^ +£y'^. There is at most one such form class, because a second one would result 
in more 2-torsion classes in the ideal class group of 0d than were found in the 
preceding analysis of the unbounded roots. 

To show the existence of such a quadratic form, it suffices to construct a quadratic 
form pax^ + bxy + ay^ of discriminant D with p dividing b. Indeed, the Dirichlet 
composition |3] of pax^ + bxy + ay^ with itself is a^x"^ -{-bxy+py"^ , which is properly 
equivalent to px^ + (.y'^ since p \ b and the discriminants of the two forms match. 

To find such a quadratic form, choose integers A and B such that t = A^~~pB^ — 
[A + B^){A — By^). Such integers exist because £ splits in Q{y/p), and all such 
representations of £ differ by a factor of ±£" where e := c + d^/p is the fundamental 
unit of Q{y/p). Note that c and d are integers, since p = 3 mod 4, and that c is even 
and d is odd. Accordingly, multiplication by e changes the parity of A, so there 
exist representations with A even and with A odd. Choose A to be odd, and set 
a = A, b = 2pB to obtain a quadratic form pax^ + bxy + ay^ of discriminant — 4p£. 

We now find the minimal possible value for B (equivalently, the minimal possible 
6), subject to the constraint that A is odd. This value for B is determined by the 
requirement that multiplication by must increase the size of the coefficients of 
the factor A — B^. We compute these coefficients to be: 

{A - By/p}{c + d^f = {Ac^ - 2Bcdp + Ad^p) + {2Acd - Bc^ - Bd^p)y/p 

The requirement is thus B < {2Acd — Bc^ — Bd^p) , or 

B 2cd _d 2c^ 

A + d^p+1^ c +d^p+l' 

But d^p = — 1, so the fraction {2c'^)/{c^ + d'^p+ 1) equals 1, whence our condition 
on B is just B/A < d/c. One could have done the same computation using the 
inequality on A given by the other coefficient; the reader can verify that doing so 
produces the same inequality. 

Now, if b is chosen to be minimal and of the above form (i.e., cB < dA, or 
equivalently cb < 2pda, and A is odd), then the root r — ^^2pa^ quadratic 
iom\ pax'^ + bxy + ay"^ lying in the upper half plane has absolute value f/^/p and real 
part equal to —B/A, with —d/c < —B/A < 0. Denote the set of all such complex 
numbers in the upper half plane by S. Since all of the points on the circular arc S 
are distinct in Xq{p), the function jp{z) is monotonic (and, of course, real valued) 
in the clockwise direction along this circular arc. From g-expansions we see that 
jp{z) is in fact increasing clockwise along the arc S. We claim that, for random 
large values of £, the locations of the corresponding roots r (as a function of £) 
are uniformly distributed along the arc S* in a weak sense to be made precise in 
Lemma 13.31 It follows that the bounded real root of the polynomial P]j{X) is 
uniformly distributed along the real interval jp{S) as D varies. 

Lemma 3.3. Let A be an arithmetic progression containing infinitely many primes 
£ which are congruent to 3 mod 4 and split in 0-p and 0-4p. For any sub-arc T d S 
of nonzero length, there exist infinitely many primes £ €z A whose corresponding 
roots T above lie in T. 
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Proof. Let U be the projection of T to the real axis. Using the fact that Re(T) = 
—B/A, we see that it suffices to show that —B/A E U for infinitely many primes 
£ G A. Consider the function 



mapping ideals a of 0p into complex numbers of norm 1. Let (7(A,B) denote the 
value of (T on the principal ideal {A + B^) in 0p. Then (j{A, B) is purely a 
function of B/A, and as B/A increases from to d/c with B positive, the point 
cr{A, B) G increases monotonically in angle from to 2tt. Thus it is enough to 
show that (J {A, B) is equidistributed on S-^ where A, B vary as a function oi £ £ A, 
with £ = — pB^. But the equidistribution of values of a with respect to £ has 
already been proven in jl2l p. 318]. □ 

In summary, for p = 3 mod 4 and D = —4,p£, where £ = \ mod 4 and £ splits 
in 0_p and 0_4p, the polynomial Pd{X) has exactly two real roots, with the 
unbounded real root diverging to cxd as ^ increases and the bounded real root being 
uniformly distributed in the real interval jp{S) as the prime £ is varied. 



4.1. Specification of Hauptmoduls. For the sake of concreteness, we will use the 
following Hauptmoduls for the curves Xq{p), p = 3,5, 7, 11, 13, 19. The derivation 
of these Hauptmoduls is discussed in 7 . 

For p = 3,5, 7, 13, the modular curve Xq{p) is a rational curve with coordinate 



where rj is the Dedekind eta function. The action of the Atkin-Lehner involution 
Wp is given by 




4. Proof of the main theorem 



24 



(4) 




12 
p-1 




Jpfi 



For these primes, we use the Hauptmodul jp defined by the formula 




For p = 11 we use the Hauptmodul 




where Oa.b.c{z) is defined to be the theta function 





valid for all z in the upper half plane H. 
For p — 19, we use the function 
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where now ^ ^{z) is defined by 



m+n=l(2) 



4.2. Proof of the theorem for p = 3 mod 4. We assume that p is equal to 3, 7, 
11, or 19. As before, we will use the polynomials Pd{X), D = —pi or D = — 4pf, 
where the prime i is both 1 mod 4 and a quadratic residue mod p. Note that 
Pr){X) is monic (since its roots jp{E) are algebraic integers) and each such curve 
E is supersingular mod p and mod £ (since p and £ ramify in D). 

Proposition 4.1. The polynomial Pd{X) is a square modulo £. 

Proof. By Proposition 12.51 we only have to exclude the possibility of there being 
roots associated to the j~invariant 1728. First consider the case D = —p£. Suppose 
jp{E) were a root of Pd{X), with j{E) = 1728 mod £. Then E would be super- 
singular mod £ and have complex multiplication by 0_4. But £ splits in 0_4, so a 
curve with CM by 0_4 cannot be supersingular mod £. 

Now take D = —Ap£. As in the proof of Proposition l2.5l set D' := —pt. Then, 
since all coefficients in the divisor of zeros {Pd')o are even in characteristic £, the 
proof of Proposition 12 . 51 shows that every coefficient of {Pd)o is even as well. □ 

Lemma 4.2. For D — —Apt, the polynomial Po{X) is a perfect square modulo p. 

Proof. Suppose first that p = 3 or 7. Every root of Pd(X) is of the form jp{E) 
where i? is a supersingular elliptic curve mod p. But there is only one isomorphism 
class of supersingular elliptic curves mod p. It follows that P£i{X) has divisor of 
zeros equal to deg(PD) • {jp{E)). Since Pd{X) modp is monic, has even degree, 
and has only one root of maximal multiplicity, it must be a perfect square. 

Now suppose p = 11. Write D' = —p£ as before. Here there are two isomorphism 
classes of supersingular elliptic curves mod p, having the values and —1 under 
the coordinate function jn of ij4.1l Using the algorithm of Pizer p^, we find that 
the action of the Hecke correspondence T2, as given by the Brandt matrix i?(2), is 
represented by the equations: 

T2((0)) = l-(0) + 2.(-l) 

r2((-i)) = 3.(o) + o.(-i). 

Since the roots of the polynomial Pq/ {X) are supersingular, the polynomial P^i {X) 
has the form X™(X + 1)" mod 11 for some integers m and n. The above calculation 
of T2, combined with Equation (|3Jl, yields 

Pd{X) = x"+3"-^"(X + 1)2™-^" mod 11, 

which is a perfect square since deg(PD/) — m + n is even and e is even for all primes 
i = 1 mod 4 which are squares modp. 

The case p = 19 is similar: using the Hauptmodul j'lg of H4.ll the Hecke cor- 
respondence mod 19 has matrix [ J 2 ] with respect to the basis of supersingular 
invariants {(0), (8)}. Since the columns of this matrix add up to even numbers, 
the polynomial Pd{X) is always a perfect square modulo 19 for D = -Apt and our 
choices of £. □ 
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Theorem 4.3. Suppose p — 3,7, 11, or 19. Let {E, E'} be a pair of elliptic curves, 
defined over K, corresponding to a rational point on Xq{p), and assume that E is 
not supersingular at p. Then E has infinitely many supersingular primes. 

Proof. If E is represented by the complex lattice (1,t) with r G H, the fact that 
h :— jpir) is real means that we may (c.f. Section|3Jl take r either on the unbounded 
arcs corresponding to Re(T) = or Re(T) = 1/2, or on the bounded arc jp{S) of 
Lemma rOl In the unbounded case, ^(t) is real and K has a real embedding, so the 
result follows from |H] and we do not need to do it here. We can therefore assume 
that T G S and —d/c < Re(r) < 0. Moreover, we can assume these inequalities are 
strict, since otherwise E has CM and its supersingular primes are known to have 
density 1/2. 

Now suppose h is rational inside the interior of the interval jp{S) and the curve E 
is not supersingular modulo p. Given any finite set E of primes of if , we construct 
a supersingular prime it of E outside of S. 

Without loss of generality, suppose that S contains all of the primes of bad 
reduction of E. Choose a large prime £ such that 

(1) i = 1 mod 4 and £ splits in 0_p and 0_4p. 

(2) (^) = 1 for every rational prime v lying under a prime in S, except possibly 
V ^ p. 

(3) PD{h)<0. 

Condition |21 is satisfied as long as the bounded root r of Pd {h) falls to the left of 
h on the real line. Since h is not on the boundary of jp{S), Lemma l3 . 31 assures the 
existence of infinitely many primes £ satisfying all the conditions. 

The rational number Pd(/i) is then congruent to a perfect square mod £ (by 
Proposition 14. 1|) and mod p (by Lemma l4.2|l . However, being negative, it also 
contains a factor of —1, which is not a perfect square mod p£. Therefore at least 
one of its prime factors q satisfies the equation (^) ^ 1 and thus is ramified or inert 

in Q{\^). Moreover, the denominator of Pd(/i) is a perfect square, since Pd(X) 
is monic with integer coefficients and even degree. Hence we may take g to be a 
factor of the numerator of Poih). Furthermore, q is not equal to p, because by 
hypothesis E is not supersingular at p so p cannot divide Poih). 

It follows from Condition [3 that q does not lie under any prime in E, and h 
is a root of P£)(X) in characteristic q. Therefore j{E) is a root of HdIX) in 
characteristic q. Hence, for any prime q of if lying over q, the reduction of E at 
q has complex multiplication by 0d' for some factor D' of D such that D/D' is a 
square, and since q is not split in Q(-\/D), it follows that there is a new supersingular 
prime tt ^ E lying above q. □ 

4.3. Proof of the theorem for p = 1 mod 4. We now give a proof of Theorem ll.il 

for the primes p = 5 and 13. Let ^ be a prime congruent to 3 mod 4 such that 
£ splits in 0_p and 0-4p. Exphcitly, £ = 3,7 (mod 20) for iV = 5, and £ = 
7, 11, 15, 19,31,47 (mod 52) for N = 13. Note that Proposition EH applies in this 
case. Throughout this section we will use the Hauptmoduls js and J13 specified in 

SH 

Proposition 4.4. For p = 5 and D = —p£ or D = —Ap£, the polynomial Pd{X) 
is of the form {X + 22)R{Xf modulo £. 
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Proof. From class number considerations we know that the class polynomial Pd {X) 
has odd degree. We show that the only factors of Pd{X) lying over j ~ 1728 are 
equal to {X + 22) mod i. This will imply that our polynomial has the required 
form, by Proposition 12. 51 

Let E — 'C/L where L — Then j(E) = 1728 and there are six points 

(counting multiplicity) of Xo{5) lying over E. We compute the values under js.o 
and j5 for each of the choices of 5-torsion subgroup of E: 



subgroup 


J5,0 


J5 




(1/5) 


125 + 


2V5 


248 


+ 126^5 






125 + 


2V5 


248 


+ 126V5 


((* 


+ l)/5) 


125- 


2V5 


248 


- 126\/5 


((* 


- l)/5) 


125- 




248 


- 126\/5 


((* 


+ 2)/5) 


-11 


+ 2i 




-22 


((* 


-2)/5) 


-11 


- 2i 




-22 



Notice that the two subgroups G oi E with j^lE, E/G) = —22 are characterized 
by the property G — iG. We will use this characterization to prove that the roots 
of Pd{X) over 1728 must have js = -22. 

Suppose first that D — ~5£ is a fundamental discriminant. Let jsiE) be a 
root of PoiX) modulo £ with j{E) = 1728 modulo £. Then the reduction £ of E 
modulo £ has quaternionic endomorphism ring A containing a subring generated 
by Z[/, {D + \/D)/2], where P = —1 and VZ) in A is obtained from the embedding 
i: 0D — !■ A induced by the reduction map from E to £. Now, the reduction of 
the ring A modulo 5 is isomorphic to M2x2(2/5), with the isomorphism being 
given by the action of A on the 5-torsion group E[5] — £[5] of E. The element 
a/D has square equal to I? = mod 5, so it is nilpotent in M2x2(^/5) with kernel 
equal to ker(5,'\/I?) = kerp. Observe that ker(/-\/l3/^^) ~ /ker(\/D) = /kerp; 
on the other hand, ker(/-\/Z?/~^) ~ ker(r(Vl3)) — ker{^/D) — kerp. Therefore 
the distinguished 5-torsion subgroup G = ker p of Lemma 12.41 satisfies the equality 
G = iG, as desired. 

For the non-fundamental case D — — 20£, note that the Hecke correspondence T2 
applied to the value j^{E) — —22 is a formal sum of terms all with even coefficient 
except for —22 itself, so by the proof of Proposition 12. 51 the polynomial P^{X) is 
a perfect square except for a linear factor of (X + 22). □ 

Proposition 4.5. For p — 13 and D = —p£ or D — ~4:p£, the polynomial Pd{X) 
is of the form {X + 6)i?(X)^ modulo £. 

Proof. Let i{E) = 1728. By the same proof as in Proposition 14.41 the kernel G 
of E satisfies G ~ iG. There are only two 13-torsion subgroups G of C/Z[i] that 
satisfy the equation G ~ iG, and they are generated respectively by (2 + 3i)/13 and 
(3 + 2i)/13. One calculates that jis.o = — 3±2z and ji3 = —6 for these points, so as 
in Proposition l4.4l the polynomial P^ factors as {X + 6) times a perfect square. □ 

Define Pi{X) to be the monic polynomial P-pi{X) ■ P-4pi{X). Then, by Propo- 
sitions ^3 and ^31 the polynomial Pi{X) is a perfect square mod £, and by the 
classification of the real roots of Pb{X) in H3.ll the polynomial Pi{X) has exactly 
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two real roots which diverge to infinity in opposite directions as ^ — > oo. In partic- 
ular, for any fixed real number /i, the value of Pe{h) is negative for all sufficiently 
large £. 

Lemma 4.6. For p = 5 or 13, the polynomial Pe{X) is a perfect square modulo p. 

Proof. Since the polynomial has even degree, it suffices to prove that all roots of 
the polynomial are congruent mod p. But every root of Pi{X) mod p is of the 
form jp{E) where E is an elliptic curve whose reduction modulo p is supersingular. 
For either p = 5 ov p = 13, there is only one isomorphism class of supersingular 
j-invariants mod p, so all such curves E are isomorphic mod p and they all have 
the same jp value. □ 

Theorem 4.7. Suppose p equals 5 or 13. Let {E,E'} be a pair of elliptic curves, 
defined over a number field K, corresponding to a rational point on the curve Xq{p). 
Assume that E is not supersingular at p. Then E has infinitely many supersingular 
primes. 

Proof. Suppose h :— jp{E) is rational and not of supersingular reduction modulo p. 
Given any finite set S of primes of K , containing all of £"s primes of bad reduction, 
we construct a supersingular prime n oi E outside of E. 
Choose a large prime i satisfying the conditions: 

(1) £= 3 mod 4 and £ splits in 0_p and 0_4p. 

(2) (^) = 1 for every rational prime v lying under a prime in E (except possibly 
V =p). 

(3) Pt{h) < 0. 

Then the numerator z of the rational number Pe{h) is divisible by some rational 
prime q which is ramified or inert in Q(^/D) for one of D = —p£ or D = —4pi 
(equivalently, has (^) ^ 1). Indeed, if not, then the absolute values of both the 
numerator and the denominator of Pe{h) would have quadratic character 1 modulo 
p£. But (^) = — 1 by our choice of £, so the number Pi{h) itself would have 
quadratic character —1 modulo p£, contradicting the fact that Pe{h) is a perfect 
square mod p and mod £. 

Moreover, q is not equal to p, since the assumption that E is not supersingular 
at p implies that p does not divide Pi{h). 

It follows that q does not lie under any prime in S, and ft, is a root of Pi{X) in 
characteristic q. Therefore, for one of I? = —p£ oi D = —Ap£, the value j{E) is a 
root of H]j(X) in characteristic q. Hence, for any prime c\ of K lying over g, the 
reduction Eq has complex multiplication by 0d' for some factor D' of D such that 
D/D' is a square, and since q is not split in Q{y/D), it follows that there is a new 
supersingular prime tt ^ E lying above q. □ 

5. Numerical Computations 

5.1. Relationship to Elkies's work. In addition to proving the infinitude of 
supersingular primes for elliptic curves defined over real number fields in [H] , Elkies 
in [51 p. 566] notes that his method also works for j-invariants "such that the 
exponent of some prime congruent to +1 mod 4 in the absolute norm of j — 12^ is 
odd." Thus, even for the case of elliptic curves over imaginary number fields our 
results do not represent the first demonstration of infinitely many supersingular 
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primes for ordinary curves. However, one can prove by direct computation that, 
over non-real number fields, the set of elliptic curves given in the statement of 
Theorem II. II is disjoint from the set of curves which satisfy the property stated by 
Elkies above. As an illustration of this fact we will perform the computation for 
the case of -^^"0(3). 

We preserve the notation from Section Wa\ We will need the equation 

(j3,oW- 486i3,oW- 19683)2 



(7) j{z) - 1728 : 



obtained as in jTj by linear algebra on the Fourier coefficients of g-expansions. 
Because [B] already provides for the case of elliptic curves with real j-invariants, 
we are interested only in the case of non-real j-invariants. Equations ^ and ((7|) 
show that the only way a rational number ^'3(2) can arise from a non-real number 
j{z) is if the two complex numbers j^fi{z) and w^{j^^Q{z)) are imaginary quadratic 
complex conjugates of each other. When this happens. Equation ^ then shows 
that the two complex conjugates multiply to 3^, so we conclude that the norm of 
j3,a{z) must equal 3^. 

Taking the norms of both sides of (|7|) , we get 

,7^0, N(j3,o(z)2-486j3,o(^)- 19683)2 
N(j z - 1728 = — — —— 

N(j3,o(2)2 - 486j3,o(2) - 19683)2 



(36)3 

where the last equality follows from the fact that jzfi{z) has norm 3^. This equation 
shows that the rational number ^{j[z) — 1728) is always a perfect square, and hence 
it cannot satisfy the requirement of Elkies that it possess a prime factor of odd 
multiplicity. 

5.2. Points on (11). For a numerical demonstration of our supersingular prime 
finding algorithm, consider the point jn = ^ on Xq(11), having j-invariant 

. _ -489229980611 - 42355313^-84567 
^ 4096 ' 

with N(j - 1728) = (7646751287/64)^. We find supersingular primes for this j- 
invariant using class polynomials on X^{11). For this we must pick primes i = 
1 mod 4 such that £ is a quadratic residue mod 11 and the class polynomial of 
discriminant — 44£ has a real root to the left of in order to ensure that Pn(f-) 
is negative. 

Using (. — we find that 

-P-22o(^) =^'-77X + 121. 

The rational number -P-22o(3") = —2309/4 is negative and a perfect square modulo 
55, so the prime factor 2309 in the numerator is a supersingular prime for this point. 

To find a new supersingular prime not equal to 2309, we need a new value of l 
with (^) = 1. Using £ = 37, we have 

-P-i628(^) = - 101042X^ - 2728753^6 - 167281605X^ + 

1453552981X^ - 4464256335^^ + 8630555868X2 _ 
9354295951X + 4253517961 
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and 

2u _ 72 • 151 • 452233314041 
P-i628(-) - . 

Of the primes in the numerator, both 7 and 151 are quadratic nonresidues mod 
11 • 37 = 407, so our j-invariant is supersingular modulo these primes. In this case 
the primes are small enough to check directly against the tables of supersingular 
j-invariants in 0; thus we find that (-489229980611 - 42355313^-84567) /4096 
is congruent to 6 mod 7, and to 67 mod 151 (or to 101 mod 151 if the other square 
root is chosen), and that these values are indeed supersingular invariants modulo 7 
and 151 respectively. 

6. Further directions 

The proofs given here are not limited to the case where jp{E) is rational. When 
p = 1 mod 4, we can generalize Theorem II. II to the case of elliptic curves E whose 
jp-invariant has odd algebraic degree. The proof is the same as that given in jKj: for 
large enough values of £, the absolute norm of Pg{jp{E)) is negative and hence has a 
prime factor lifting to a new supersingular prime of E. Likewise, for p = 3 mod 4, we 
can extend our proof to all curves E for which jp{E) is real. In this case we assume 
that all the real conjugates of jp{E) lie inside the set jp{S) of Lemma since 
otherwise we can use (H] directly. Because the bounded root of Pd(X) is uniformly 
distributed along jp{S), there exists a value of D making Pd{X) negative valued 
on exactly one real conjugate of jp{E). For this choice of D, the numerator of the 
absolute norm of PoUpiE)) produces a new supersingular prime for E. 

One might naturally ask how to prove Theorem 1 1 . 1 1 for the primes p = 17 or 
p > 19. Our proof relies on the fact that the polynomial Pd{X) is a square mod 
p. When Xq{p) has genus 0, this fact is automatic since Pu{X) has only one root 
in characteristic p. For the genus 1 cases p = 11 and 19, we proved squareness 
using the fact that the Brandt matrix of the Hecke correspondence T2 has column 
sums which are even. However, this evenness property fails in general — for instance, 
when p = 23 we have 

"1 2 0' 



B{2) 



1 1 1 
3 



which means we cannot expect PD{j23{E)) to be a perfect square unless the number 
j23{E) mod 23 differs from every possible pair of supersingular j23^invariants by 
quantities having the same quadratic character mod 23. This condition is fulfilled 
by about one quarter of the curves satisfying the hypotheses of Thcorcm ll.il and 
for these curves the proof of the theorem goes through unchanged. 

Even when Pd{X) is not guaranteed to be a perfect square mod p, empirical 
evidence indicates that the polynomial is sometimes a perfect square anyway. For 
example, when p = 23, a computer search up to £ = 400 indicates that the primes 
101, 173, and 317 have polynomials with square factorizations. It therefore seems 
reasonable that classifying the square occurrences of Po{X) would lead to a proof 
of the theorem in these cases. 
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